This file lists the major changes made between Owl releases. While
some of the changes listed here may also be made to a stable branch,
the complete lists of stable branch changes are included with those
branches and as errata for the corresponding Owl releases only.

This is very far from an exhaustive list of changes. Small changes to
individual packages won't be mentioned here unless they fix a security
or a critical reliability problem. They are, however, mentioned in
change logs for the packages themselves.

Security fixes have a "Severity" specified for the issue(s) being fixed.
The three comma-separated metrics given after "Severity:" are: risk
impact (low, medium, or high), attack vector (local, remote, or
indirect), and whether the attack may be carried out at will (active) or
not (passive). Please note that the specified risk impact is just that,
it is not the overall severity, so other metrics are not factored into
it. For example, a "high" impact "local, passive" issue is generally of
lower overall severity than a "high" impact "remote, active" one - this
is left up to our users to consider given their specific circumstances.

Per our current conventions, a Denial of Service (DoS) vulnerability is
generally considered to have a "low" risk impact (even if it is a
"remote, active" one, which is to be considered separately as it may
make the vulnerability fairly critical under specific circumstances).
Some examples of "medium" impact vulnerabilities would be persistent DoS
(where the DoS effect does not go away with a (sub)system restart), data
loss, bugs enabling non-critical information leaks, cryptographic
signature forgeries, and/or sending of or accepting spoofed/forged
network traffic (where such behavior was unexpected), as long as they
would not directly allow for a "high" impact attack. Finally, a typical
"high" impact vulnerability would allow for privilege escalation such as
ability to execute code as another user ID than the attacker's (a
"local" attack) or without "legitimately" having such an ability (a
"remote" attack).

The metrics specified are generally those for a worst case scenario,
however in certain cases ranges such as "none to low" or/and "local to
remote" may be specified, referring to the defaults vs. a worst case yet
"legitimate" custom configuration. In some complicated cases, multiple
issues or attacks may be dealt with at once. When those differ in their
severity metrics, we use slashes to denote the possible combinations.
For example, "low/none to high, remote/local" means that we've dealt
with issue(s) or attack(s) that are "low, remote" and those that are
"none to high, local". In those tricky cases, we generally try to
clarify the specific issue(s) and their severities in the description.

Merged into the tree many changes, most of them sponsored by Rapid7
under their Magnificent7 program, which have ultimately resulted in
John the Ripper 1.8.0 release. The code in Owl was then updated some
further, up to version 1.8.0.2.
Reference:
http://www.openwall.com/lists/announce/2013/05/30/1

Corrected the processing of '\x80' characters in extended DES-based
crypt(3) hashes. A related issue affecting traditional DES-based
crypt(3) hashes is known as CVE-2012-2143 in other projects using the
same FreeSec code, but luckily in Owl we've been using this code only
for the extended hashes (continuing to use upstream glibc's UFC-crypt
for traditional ones), and these were only affected in terms of
compatibility (with BSD/OS and certain other implementations), but not
security. Hence, this is not a security fix.

2012/08/14 Package: slang

Dropped S-Lang from Owl. We never made use of it in Owl itself.

2012/08/14 Package: binutils

Updated to 2.23.51.0.1.

2012/07/23 Package: tcsh

Updated to 6.18.01.

2012/05/12 Package: binutils

Updated to 2.22.52.0.1.

2012/05/08 Package: syslinux

Updated to 4.05.

2012/05/08 Package: lftp

Updated to 4.3.6. Corrected an assertion failure with torrent peer id
generation when the lftp PID is above 65535. Added a patch proposed by
upstream to always obtain and report exact file timestamps.

Enabled building of UTF-8 locales by default (adds 6.5 MB to glibc .rpm
package size and 36 MB to installed system size on a filesystem with
4 KB blocks, unfortunately).

2012/02/12 -
2012/02/18 Package: gcc; Owl/build/.rpmmacros

Enabled -Wl,-z,relro and -Wl,-z,now by default as a security hardening
measure, rebuilt all packages. In most cases the performance impact is
non-existent or negligible. To disable these options (for whatever
reason), pass -Wl,-z,norelro and -Wl,-z,lazy to gcc, respectively.
Note: ld(1) still uses -z norelro and -z lazy by default; only gcc's
defaults are changed. (We already had -Wl,-z,relro in
Owl/build/.rpmmacros since 2011/11/04; now that change is reverted in
favor of gcc's change of default, and we've also added -Wl,-z,now.)
References:
http://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

John the Ripper has been enhanced in numerous ways, most notably gaining
OpenMP parallelization for more hash types, resulting in its 1.7.9
release, which is also part of Owl (as usual). The Owl package of John
the Ripper now actually has OpenMP parallelization and support for Intel
AVX and AMD XOP enabled due to our move to GCC 4.6.x. It also includes
transparent fallback to non-OpenMP and/or pre-AVX program binaries when
the thread count would be 1 (such as because the system only has one
logical CPU) or when running on a CPU not supporting AVX, respectively.
Reference:
http://www.openwall.com/lists/john-users/2011/11/23/2

2011/10/29 Packages: syslinux, owl-cdrom; Owl/build/*

Packaged SYSLINUX - a collection of boot loaders - and moved from LILO
to ISOLINUX for the ISO-9660 images generated by "make iso".

Applied a fix for crash and potential arbitrary code execution when
processing a malformed/malicious package file. Although an RPM package
can, by design, execute arbitrary code when installed or even during
installation, this issue would potentially allow a specially-crafted RPM
package to execute arbitrary code when the package metadata is merely
queried, including for digital signature verification. Note that for
Owl RPM packages we do not rely on RPM's support for signatures;
instead, we sign *.mtree files. Please continue to verify detached
GnuPG signatures that we provide for such files with gpg(1), and then
verify RPM package files against the message digests found in *.mtree
files with mtree(8) (both of these tools are part of Owl). This kind of
verification was unaffected by this RPM issue. Please note that use of
RPM on untrusted package files, even if just to verify a signature,
remains risky despite of this recent fix: RPM package format and
processing are complicated, so further issues of this kind are likely.
References:
http://www.openwall.com/lists/oss-security/2011/09/27/3https://rhn.redhat.com/errata/RHSA-2011-1349.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378

2011/10/10 Package: SysVinit

Applied a patch to set the shell name to /bin/bash, not /bin/sh, such
that colored ls output is enabled on our LiveCD.

Updated the kernel to 2.6.18-274.3.1.el5.028stab094.3 (OpenVZ's latest
stable from their RHEL 5 based branch, now rebased on RHEL 5.7's).
Restricted permissions on /proc/slabinfo as a security hardening
measure. Moved some OpenVZ features to modules like it is done in
OpenVZ's official kernel builds. Changed CONFIG_UDF_FS=y to =m.
Changed CONFIG_BLK_DEV_CRYPTOLOOP and most CONFIG_CRYPTO_* from =y to
=m. On x86_64, changed CONFIG_PCNET32 and CONFIG_FORCEDETH (these are
some of the 100 Mbps NIC drivers) from =y to =m. Of the 100 Mbps NIC
drivers, we're leaving only those for Intel, Realtek, and
NE2000-compatible PCI NICs built into the kernel on x86_64 now. Set
CONFIG_SCSI_AIC94XX=y and CONFIG_BLK_CPQ_CISS_DA=y (the latter was
already =y on i686, now it is =y on x86_64 as well). Although we
reference two Red Hat security advisories below, none of the worse than
local DoS issues listed in those advisories affect our previous kernel
builds, either because we do not build the affected components, or in
case of CVE-2011-2495 because we already had the permissions on
/proc/PID/io restricted before Owl 3.0 release.
References:
https://openvz.org/Download/kernel/rhel5/028stab094.3https://rhn.redhat.com/errata/RHSA-2011-1212.htmlhttps://openvz.org/Download/kernel/rhel5/028stab093.2https://rhn.redhat.com/errata/RHSA-2011-1065.htmlhttp://www.openwall.com/lists/kernel-hardening/2011/09/27/3

2011/10/09 Packages: tzdata, glibc; Owl/build/installorder.conf

Moved timezone data files from glibc to new package tzdata, updated it
to version 2011k.

2011/09/07 Owl/build/{install*.sh,installorder.conf}

Support for optional package tags has been added to installorder.conf
and made use of in install*.sh scripts. Currently supported are:
"D:" - CD only;
"d:" - exclude from CD;
"E:" - exclude from CD and OpenVZ container templates;
"H:" - host only (exclude from OpenVZ container templates).

crypt_blowfish has been updated to version 1.1 (and then to 1.2), which
fixes the 8-bit character handling bug and adds 8-bit test vectors and a
quick self-test on every password hash computation. The impact of this
bug was that most (but not all) passwords containing non-ASCII
characters with the 8th bit set were hashed incorrectly, resulting in
password hashes incompatible with those of OpenBSD's original
implementation of bcrypt. What's worse, in some cases (but not in all)
one, two, or three characters immediately preceding the 8-bit characters
were ignored by the password hash computation. Thus, many passwords
containing characters with the 8th bit set were significantly easier to
crack than it was previously expected. This primarily applies to
offline attacks against the password hashes (if the hashes are leaked or
stolen), but in rare extreme cases it might also apply to remote
password guessing attacks. In practice, passwords with non-ASCII
characters are relatively uncommon and are typically more complicated
than average, so they're unlikely to be an attractive target for
attacks, despite of the weakness that this bug exposes them to. Yet the
risk is there. With this glibc update, existing users' passwords
containing characters with the 8th bit set will mostly stop working,
because the hashes will be computed correctly and not match the
incorrectly computed hashes recorded in the system. In order to allow
users to log in after the upgrade even if they have a potentially
affected password, the newly introduced backwards compatibility hash
encoding prefix of "$2x$" may be used. Such password hashes should only
be used during a transition period; when passwords are changed and
hashed using the correct algorithm, another newly introduced "$2y$"
prefix is used. After installation of this glibc update, login services
such as sshd(8) should be restarted ("service sshd restart" and so on)
in order for users' newly changed passwords (with the "$2y$" prefix on
the hash encodings) to be recognized.
References:
http://www.openwall.com/lists/announce/2011/06/21/1http://www.openwall.com/lists/oss-security/2011/06/24/1http://www.openwall.com/lists/oss-security/2011/06/29/16http://www.openwall.com/lists/john-dev/2011/07/06/15http://www.openwall.com/lists/oss-security/2011/07/07/9http://www.openwall.com/lists/oss-security/2011/07/08/1https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483

2011/06/22 Package: john

In an effort sponsored by Rapid7, the bitslice DES S-box expressions
have been replaced with those generated by Roman Rusakov specifically
for John the Ripper. The corresponding assembly code for x86 with MMX,
SSE2, and for x86-64 with SSE2 has been re-generated. Support for
bcrypt hashes of passwords containing characters with the 8th bit set
has been corrected. (The old buggy behavior may be enabled per-hash,
using the "$2x$" prefix.) The external mode virtual machine's
performance has been improved. This update of John the Ripper has also
been released separately from Owl as version 1.7.8.
References:
http://www.openwall.com/lists/john-users/2011/06/22/1https://www.rapid7.com

Updated to 2.6.18-238.5.1.el5.028stab085.3, which is now marked as
"RHEL5 stable". This fixes a kernel Oops caused by nfsd. Also fixed
an Owl-specific x86_64 gettimeofday(2) VDSO issue, which manifested
itself in some 64-bit programs inside containers with some Linux
distributions (not Owl) crashing with SIGSEGV. The issue was new with
-238 kernels (thus, it was not present in Owl 3.0, nor in 3.0-stable).
References:
https://openvz.org/Download/kernel/rhel5/028stab085.3https://bugs.openvz.org/browse/OVZ-4946

Updated to 2.3.4. This release corrects a DoS vulnerability discovered by
Maksymilian Arciemowicz where an attacker permitted to login to an FTP server
would be able to cause the vsftpd child process(es) spawned for their
session(s) to consume excessive amounts of CPU time. If the attack is carried
out on a sufficient number of FTP sessions (possibly from multiple source IP
addresses to exceed a possible per-source limit), the FTP service would become
unavailable and other services of the system would be greatly impacted.
References:
http://securityreason.com/achievement_securityalert/95https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0762

New package: vconfig is a user mode program to add and remove 802.1q
VLAN virtual devices from Ethernet devices.

2011/01/29 Package: kernel

Dealt with two known critical x86_64 specific bugs introduced in
2.6.18-238.1.1.el5.028stab083.1, applying a fix for one of them (bootup
on systems with more than 8 logical CPUs) and working around the other
(VDSO, which is now temporarily disabled on x86_64, to be re-enabled
with the next kernel update).
Reference:
https://openvz.org/Download/kernel/rhel5-testing/028stab083.1

2011/01/29 Package: nmap

Updated to 5.50.

2011/01/28 Package: usbutils

New package: usbutils contains the lsusb utility for inspecting the
devices connected to the USB bus.

New package: bridge-utils is a tool for configuring the Linux Ethernet
bridge.

2011/01/27 Package: pv

New package: PV ("Pipe Viewer") is a tool for monitoring the progress of
data through a pipeline.

2011/01/27 Package: ethtool

New package: ethtool is an utility for controlling network drivers and
hardware, particularly for wired Ethernet devices.

2011/01/25 Package: e2fsprogs

Updated to 1.41.14.

2011/01/24 Package: owl-startup

Added "-s 131072" to the dmesg invocation in rc.sysinit. Without this
change, /var/run/dmesg.boot was often incomplete.

2011/01/24 Package: lilo

Updated to 23.1.

2011/01/24 Package: vim

Moved a few syntax highlighting related files from the vim-syntax to the
vim-enhanced subpackage to correct a packaging error where some files
in vim-enhanced were dependent upon files from vim-syntax, which is not
installed by default.